Privacy policy
- TERMS AND DEFINITIONS
1.1. Notice – this Company’s Privacy notice.
1.2. Data subject (also “you”) – individual, whose personal data is processed by the Company.
1.3. EU/EEA – European Union and European Economic Area.
1.4. Application software (also “Application” or “App”) – Company’s applications maxaa.pos, Cash Register application maxaa.ecr, Online ERP maxaa.erp or POS terminals used by the Data subject.
1.5. Website – Company’s website maxaa.eu.
1.6. Company (also “we”) – MAXAA BİLGİ TEKNOLOJİ SANAYİ VE TİCARET LİMİTED ŞİRKETİ, registration No. 6132034231, legal address: ZÜMRÜTEVLER MAH. PINARCIK SK. PINAR APT NO: 8 IÇ KAPI NO: 1 MALTEPE/ ISTANBUL.
1.7. GDPR – General Data Protection Regulation.
1.8. Other terms defined by the GDPR Article 4- “personal data”, “processing”, “restriction of processing”, “controller”, “processor”, “recipient”, “profiling” – are used in this Notice with the same meaning.
- PURPOSE OF THE NOTICE AND SCOPE OF APPLICATION
The purpose of this Notice is to inform the Data subject about the processing of personal data by the Company. The Notice applies in all cases when the Company processes the personal data of the Data subject (e.g., when the Data subject uses the Application, visits the Website, contacts the Company, etc.).
- INFORMATION ABOUT CONTROLLER
Company is considered to be the controller of personal data, which means that it determines the purposes of the processing of personal data (i.e., “why” personal data are processed) and the means (i.e., “how” personal data are processed. Contact details of the company: (a) e-mail address: info@zalapay.com; (b) telephone number: +371 25676060.
- PERSONAL DATA SOURCES
If it is legally justified in each individual case, the Company may receive personal data about the Data subject in two ways:
4.1. receiving directly from the Data subject, mainly when he/she:
(a) uses the App or visits the Website;
(b) communicates with the Company (e.g., by phone, through the App, email, ordinary mail, social networks and other forms of communication);
(c) otherwise provides personal data to the Company.
4.2. receiving from third sources (e.g., public authorities, business register data base, etc.).
- CATEGORIES OF PROCESSED PERSONAL DATA
Company mainly processes the following data categories:
(a) Basic data (e.g., name, surname, personal code, date of birth, age, address);
(b) Contact details (e.g., phone number, e-mail address, residence address);
(c) Data associated with the device (e.g., device identifier, device model, operating system version, location when using apps);
(d) Location;
(e) Network data (source IP address);
(f) Communication data (by telephone (NB! All telephone conversations with the Company are recorded) or in writing);
(g) Other personal data provided by the data subject to the Company or obtained by the Company.
- PURPOSES OF PERSONAL DATA PROCESSING
6.1. The Company processes personal data primarily for the following purposes:
(a) Ensuring functionality of the App or Website;
(b) Communication with the Data subject in connection with the use of the App, Website or services provided by the Company;
(c) Provision of the requested services;
(d) Creation and use of the user account;
(e) User account administration;
(f) Replying to the Data subject’s application, complaint, request or question;
(g) Seeking Data subject’s opinion;
(h) Exercise and protection of Company’s rights and interests;
(i) Market research and trend identification;
(j) Prevention of illegal activities (e.g., fraud prevention, property protection, etc.);
(k) Improvement of the Company’s Application, Website and processes related to their use;
(l) direct marketing purposes, such as: (1) sending commercial communications (e.g., depending on the Data subject’s choice, sending up-to-date information about services, special offers, etc. to the Data subject’s e-mail and/or phone number, making calls, communicating with the Data subject through social networks as well as other communication channels); (2) organization of customer loyalty events (including organization of lotteries); (3) the use of targeting strategies, cookies and similar technologies; (4) evaluation and research of customer groups; (5) reaching potential customers and/or offering services through other information/communication channels (including, but not limited to, social networks, mail, internet, search sites, blogs, comparison sites and other channels);
(m) Creation of a user database and other administrative purposes;
(n) Fulfilment of obligations laid down in regulatory enactments;
(o) Responding to requests from competent national authorities;
(p) Bringing, maintaining, enforcing a legal action;
(q) Research, analytics and statistics;
(r) Improving the quality/efficiency of the Company’s service provision;
(s) To troubleshoot service problems and disruptions;
(t) Customer satisfaction assessment;
(u) Handling of complaints of Data subjects; Creation of a register of complaints;
(v) Ensuring security (including information and cybersecurity), preventing and detecting property protection and criminal offences;
(w) Quality control of the content of calls, quality control of servicing; Preservation of evidence (on the accuracy of the information provided; competence of the staff member, etc.).
6.2. The Company is entitled to process personal data also for purposes other than those mentioned in the previous paragraph, if there is a relevant legal basis.
- LEGAL BASIS OF PROCESSING
7.1. The legal basis on which we process your personal data depends on the type of personal data processed and for what purposes processing takes place.
7.2. We mainly process personal data based on the following legal grounds: (a) your consent (where necessary, e.g. when sending you commercial communications); (b) conclusion and enforcement agreement (e.g., on provision of Company’s services); (c) compliance with our legal obligation (e.g. ensuring the security of processing); (d) the processing is necessary for the protection of the vital interests of the person; (e) the processing is necessary for our legitimate interests or those of a third party (e.g. bringing and maintaining a legal claim, ensuring security, internal administrative purposes, etc.).
- CATEGORIES OF RECIPIENTS AND PERSONAL DATA TRANSFER OUTSIDE EU/EEA
8.1. Where legally justified in each individual case, personal data may be transferred to the following categories of recipients:
(a) Employees and officials of the Company;
(b) Company service providers (processors and other controllers), e.g., information storage service providers, information and communication technology (ICT) service providers, etc.;
(c) State institutions, e.g., Consumer Rights Protection Centre, State Revenue Service, Data State Inspectorate, State Police, etc.;
(d) Other recipients entitled to receive personal data.
8.2. We mainly process personal data in the EU/EEA territory. However, during the processing process (e.g., when the Company uses some service), personal data may be transferred to a recipient outside the EU/EEA. In this case, the Company ensures that the GDPR requirements for the transfer of personal data outside the EU/EEA are complied with. More detailed information on the transfer of personal data is available by contacting the Company using the contact information provided in this document.
- PERSONAL DATA STORAGE TERM
We will store personal data in accordance with our data retention policy. The retention period depends mainly on the category of personal data concerned and the purpose of the processing. For certain categories of personal data, retention periods are laid down in the applicable laws (e.g. in the field of taxation, consumer protection, anti-money laundering, etc.). In other cases, when the retention period is not specified in the applicable laws, the Company determines the retention period itself, taking into account the principles of personal data processing laid down in the GDPR. For example, a longer retention period may be set if personal data is necessary for the purposes of the legitimate interests, e.g. by helping us respond to customer complaints, preventing criminal offences, responding to requests from public authorities, etc. At the end of the retention period, personal data will be deleted or permanently anonymised.
- DATA SUBJECT RIGHTS
10.1. The GDPR grants data subjects a number of rights in relation to their personal data, namely:
(a) Right of access to personal data;
(b) Right to correct personal data;
(c) Right to delete personal data;
(d) Right to request restriction of processing;
(e) Right to object to processing;
(f) Right to portability of a personal data;
(g) Right to withdraw consent at any time if it is used as a legal basis for processing (NB! Withdrawal of consent shall not affect the lawfulness of processing based on prior consent).
10.2. You should note that the above rights are not absolute. In particular, the GDPR and other applicable laws also provide for limitations and exceptions to those rights.
10.3. In order to exercise the above-mentioned rights, the Data subject must contact the Company in one of the following ways:
(a) By sending a handwritten application to the Company’s legal address; or
(b) By sending an application signed with a secure electronic signature to the Company’s e-mail, which is indicated in this document.
10.4. If the Company has reasonable doubts about the identity of the natural person who submits a request for the exercise of the above-mentioned rights, the Company may request that additional information necessary for the confirmation of the identity of the Data Subject be provided.
- DISPUTE RESOLUTION AND SUBMISSION OF CLAIMS
The Company hopes to resolve any dispute in a friendly manner and expects the Data subject to initially address the Company if he/she considers that the processing does not comply with the GDPR and/or other laws and regulations governing the protection of personal data. However, the Data subject is entitled to submit a complaint to the Data State Inspectorate if he/she considers that the processing carried out by the Company is in contradiction with the GDPR and/or other laws and regulations governing the protection of personal data.
- OBLIGATION TO PROVIDE PERSONAL DATA
Whether the Data subject has the right or obligation to provide personal data depends primarily on the purpose of the processing. For example, you are free to choose whether to use the Company’s Application or Website, but in this case the provision of personal data will be mandatory in order to use the services offered through the Application and/or the Website, otherwise the Company will not be able to provide these services. Signing up for newsletters from the Company is always voluntary and based on your consent, which you can always change or withdraw.
- AUTOMATED DECISION MAKING AND PROFILING
The Company does not take automated decisions that have legal consequences in relation to the data subject or similarly have a significant impact on the Data subject. The Company may perform profiling for marketing purposes or for the purpose of personalizing offers reflected in the Application or Website to the data subject.
- PASSWORD AND ACCESS TO USER ACCOUNT
14.1. When creating a user account in the Application or Website, the Data subject is obliged to create a secure password. The data subject is not entitled to disclose this password to any third party. The Data subject is obliged to change the password if he/she suspects that it has been found out by a third party.
14.2. The abovementioned user account may only be used by the Data subject himself or herself for his or her own needs.
- AMENDMENTS
The Company is entitled to unilaterally make changes to this Notice. The changes take effect on the day when the updated Notice is published on the App or Website. In case of significant changes, the Data subject will be informed about them using the contact information available to the Company.